Error while requesting RDP-SSL certificate

Hello,

I have a CA server in my environment which is working perfectly fine while giving certificates to our 2000+ servers. But this one issue facing server which is reformated from windows 2003 to 2008 gets a error while i go to mmc and add the snap in of computer certificates. In personal when i request for certificate it gives as status:unavailable with a cross mark and error statements as "the permissions on this certification authority do not allow the current user to enroll for this type of certificate". While all permissions are in place and the certificate is working fine at other servers where imported.

Issue is only with one server which i stated above.. Early help appreciated please.
amjadmapariAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi.

In your CA, did you allow this server?
amjadmapariAuthor Commented:
For this RDP-SSL certificate template it is allowed to authenticated users for read and enroll.
Patrick BogersDatacenter platform engineer LindowsCommented:
Correct me if i am wrong, isnt it you are requesting a certificate for the local machine in which the server authenticates against the CA as domain\servername$ ?
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

amjadmapariAuthor Commented:
For the servers deployed in our environment we request a certificate from a subca server hosted in our environment for rdp-ssl properties as seen in screenshot.

While requesting for certificate through mmc in personal store of computer certificat we get error as "the permissions on this certification authority do not allow the current user to enroll for this type of certificate".

But the certificate is given read and enroll pernmissions for authenticated users and we facing this issue on only this one server.

certificate
amjadmapariAuthor Commented:
Also please find the print screen of error i am facing.

request cert
Patrick BogersDatacenter platform engineer LindowsCommented:
Steps to fix this are:

Logon to the CA server handing out this certificate
Start server manager -> open AD certificate services en click the + sign for CA server.
Rightclick on Certificate Templates en select Manage.
Right click the desired certificate and select 'duplicate template'.
On general give template a name and validity period and publish to AD.
Next in security select object types->Computers
Select de server, give it enroll read and write rights and select OK.

Allow DC's to replicate and reask the certifiate. This should do the trick.
amjadmapariAuthor Commented:
Thanks but when i try to request same certificate from different server in domain it shows up properly.
PFA snap.

cert
Patrick BogersDatacenter platform engineer LindowsCommented:
More reasons to believe the server account is not allowed isnt it?
becraigCommented:
A terminal server computer account must have Enroll permissions to read the appropriate certificate template.
To perform this procedure, you must have membership in the Enterprise Admins or Domain Admins group of the forest root domain, or you must have been delegated the appropriate authority.
To check the permissions that are granted to the terminal server on the certificate template:
On a computer where AD CS is installed, open the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove snap-in.
In the Add or Remove Snap-ins dialog box, click Certificate Templates, click Add, and then click OK.
In the console tree, click Certificate Templates.
In the results pane, right-click the certificate template that is used as the basis for the certificates that are enrolled to terminal servers, and then click Properties.
On the Security tab, under Group or user names, check whether the terminal server (or a security group that contains the terminal server) appears in the list, and then click it. With the terminal server (or the security group that contains the terminal server) selected, under Permissions, check whether the check box to allow Enroll permissions is selected, and then click OK.
If the check box to allow Enroll permissions is not selected, see the section titled "Grant Enroll permissions for the certificate template to the terminal server."

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amjadmapariAuthor Commented:
ok
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.